Sign up to receive free email alerts when patent applications with chosen keywords are publishedSIGN UP

Abstract:

A secure communication module is provided for securing communication
between a client application and a network service. The secure
communication module comprises an authentication identifier provider for
providing the client application a pool of authentication identifiers for
use in subsequent communication with the network service, and an
authentication identifier validator for checking the validity of an
authentication identifiers from the pool of authentication identifiers
sent with the subsequent communication.

Claims:

1-37. (canceled)

38. An authentication apparatus for authenticating communication between a
client and one or more web services, the authentication apparatus
comprising:a computer readable memory storing instructions; anda
processor for executing the instructions stored in the computer readable
memory, the instructions when executed by the processor configuring the
authentication apparatus to provide:an authentication identifier provider
for providing to a client application executed on a client a plurality of
authentication identifiers over a secure communication channel
established over the network, individual authentication identifiers of
the plurality of authentication identifiers for use in validating
subsequent client application requests to access functionality provided
by a web service;an authentication identifier validator for validating
the client application's authorization to access the requested
functionality of the web service using an authentication identifier from
the plurality of authentication identifiers received with a client
application request to access functionality provided by the web service;
anda communication module for receiving, over an unsecure communication
channel established over the network, the client application request and
the associated authentication identifier and sending the request to
access functionality to the web service when the client application's
authorization to access the web service is validated by the
authentication identifier validator.

39. The authentication apparatus of claim 38, wherein each authentication
identifier is invalidated after being validated by the authentication
validator, whereby each authentication identifier can only be used once.

40. The authentication apparatus of claim 38, further comprising an
authentication module for authenticating the client application prior to
providing the client application the plurality of authentication
identifiers.

41. The authentication apparatus of claim 38, further comprising an
authorization module for checking if the client application has
authorization to access the functionality of the web service.

42. The authentication apparatus of claim 38, further comprising a
repository for storing information relating to the plurality of
authentication identifiers.

43. The authentication apparatus of claim 42, wherein the repository
further stores information relating to the client application, and the
web service.

44. The authentication apparatus of claim 38, further comprising a billing
module to bill for the pool authentication identifiers.

45. The authentication apparatus of claim 38, further comprising a
metering module for tracking usage of the pool of authentication
identifiers.

46. A system for authenticating communication over a network comprising:a
client computing device coupled to the network, the client executing a
client application for receiving a plurality authentication identifiers
over a secure channel through the network and sending over an unsecure
communication channel through the network a client application request
and an associated authentication identifier;a web service coupled to the
authentication apparatus through the network for receiving the request to
access the functionality of the web service; andan authentication server
coupled to the network for:providing the plurality of authentication
identifiers to the client over the secure communication channel
established through the network, individual authentication identifiers of
the plurality of authentication identifiers for use in validating
subsequent client application requests to access functionality provided
by the web service;receiving, over the unsecure communication channel
established through the network, the client application request and the
associated authentication identifier;validating the client application's
authorization to access the requested functionality of the web service
using the authentication identifier from the plurality of authentication
identifiers received with the client application request to access
functionality provided by the web service; andsending the request to
access functionality of the web service when the client application's
authorization to access the web service is validated.

47. The system of claim 46, wherein each authentication identifier is
invalidated after being validated by the authentication validator,
whereby each authentication identifier can only be used once.

48. The system of claim 46, wherein the authentication apparatus further
comprises an authentication module for authenticating the client
application prior to providing the client application the plurality of
authentication identifiers.

49. The system of claim 46, wherein the authentication apparatus further
comprises an authorization module for checking if the client application
has authorization to access the functionality of the web service.

50. The system of claim 46, wherein the authentication apparatus further
comprises a repository for storing information relating to the plurality
of authentication identifiers.

51. The system of claim 50, wherein the repository further stores
information relating to the client application, and the web service.

52. The system of claim 46, wherein the authentication apparatus further
comprises a billing module to bill for the pool authentication
identifiers.

53. The system of claim 46, wherein the authentication apparatus further
comprises a metering module for tracking usage of the pool of
authentication identifiers.

54. The system of claim 46, wherein the communication module of the
authentication apparatus further receives a response from the web service
and sends the response back to client.

55. A method of authenticating communication between a client and a web
service, the method comprising:sending, from the client, client
application credentials over a secure communication channel;receiving and
authenticating, at a server, the client application credentials;providing
a plurality of authentication identifiers to the client over the secure
communication channel established through the network, individual
authentication identifiers of the plurality of authentication identifiers
for use in validating subsequent client application requests to access a
web service;receiving at the client the plurality of authentication
identifiers;sending a client application request to access the web
service with an associated authentication identifier from the plurality
of received authentication identifiers;receiving, over an unsecure
communication channel established through network, the client application
request and the associated authentication identifier;validating the
client application's authorization to access the requested functionality
of the web service using the authentication identifier from the plurality
of authentication identifiers received with the client application
request to access functionality provided by the web service; andsending
the request to access functionality of the web service when the client
application's authorization to access the web service is validated.

56. The method of claim 55, further comprising:receiving at the web
service the web service request;processing at the web service the web
service request;sending a web service response to the server in response
to the received web service request;receiving the web service response at
the server; andsending the web service response to the client.

57. The method of claim 56, further comprising:sending a second client
application request to access the web service with a second associated
authentication identifier from the plurality of received authentication
identifiers.

Description:

[0002]This invention relates to distributed computing, where software
running on a client system interacts with software running on remote
server systems. In particular, the invention relates to a system and
method for secure communication.

BACKGROUND OF THE INVENTION

[0003]Software developers wish to provide programmatic functionality over
the Internet through the creation of web services. These web services
provide some valuable technology in which the developer has expertise.
Web services are often deployed in such a way that the user of the web
service has a direct connection with a server.

[0004]One problem that arises from this process of exposing the web
services for consumption over the web by an end user application is that
in order to protect unauthorized access of these web services over the
Internet, the web services must somehow incorporate authentication and
authorization of users and other security measures. When a user wishes to
use a web service on a server, the server usually needs to ensure that
the user is authorized to have access. This authentication of the user is
typically done by sending the user's name and password to the server
which then verifies the given data before granting access. Since the
authentication data is sensitive, it is desirable to be sent over a
secured channel, such as the hypertext transfer protocol over secure
socket layer (https), which encrypts the data. Using a secured channel is
safer but slower than an unsecured channel since it requires the extra
encryption/decryption steps.

[0005]An alternative solution is to have the user log into the web service
once by sending the user name and password over the secure channel and in
return the user will receive a unique authentication identifier (ID) over
the secured channel. Sometimes an authentication ID is called a session
ID. However, there is a distinction between a session ID that refers to a
locked communication between a client and a server and a session ID that
refers to the fact that authentication has occurred. Thus, the term
authentication ID will be used in this specification.

[0006]Successive calls to the web service are then made over an unsecured
channel with the authentication ID to identify the user. Since the user
name and password are not sent during the successive calls, the calls no
longer needs to be done over a secure channel. The calls can be sent over
an unencrypted channel, such as the hypertext transfer protocol (http).
This will improve performance as well as limit the number of times that
the user name and password are sent. When the server receives a web
service call, it will authorize the user by verifying that the
authentication ID is valid at that point in time.

[0007]This use of an authentication ID is only partially acceptable since
the user name and password are safe as they are passed over the secure
channel once and the user can still be authenticated for access to web
services using the authentication ID. The problem is that since the web
service calls are not done over a secured channel, the authentication ID
could be compromised. Anyone who is observing the unsecured channel could
note the authentication ID as it is used in the web service calls. They
could then reuse this authentication ID and gain unauthorized access to
the web service.

[0008]One adaptation to the use of an authentication ID is to have the
authentication ID time out after a certain period of time. Once an
authentication ID has expired, anyone who has obtained it with or without
authorization will no longer be able to use it and the authorized user
will have to log on again and receive a new authentication ID.

[0009]While the time-out of an authentication ID solution is better than
no solution, there is still the problem that a misuse of a web service
may occur for a limited time. It is desirable to provide means for
providing better security when providing services over a network.

SUMMARY OF THE INVENTION

[0010]It is an object of the invention to provide a novel system and
method for providing better security when providing services over a
network. The novel system and method will obviate or mitigate at least
one of the disadvantages of existing systems.

[0011]In an aspect of the present invention, there is provided a secure
communication module for securing communication between a client
application and a network service. The secure communication module
comprises an authentication identifier provider for providing the client
application a pool of authentication identifiers for use in subsequent
communication with the network service, and an authentication identifier
validator for checking the validity of an authentication identifiers from
the pool of authentication identifiers sent with the subsequent
communication.

[0012]In another aspect of the present invention, there is provided a
method for securing communication between a client application and a
network service. The method comprises steps of providing the client
application a pool of authentication identifiers for use in subsequent
communication with the network service, and checking the validity of an
authentication identifiers from the pool of authentication identifiers
sent with the subsequent communication.

[0013]In another aspect of the present invention, there is provided
computer readable media storing the instructions and/or statements for
use in the execution in a computer of a method for securing communication
between a client application and a network server. The method comprises
steps of providing the client application a pool of authentication
identifiers for use in subsequent communication with the network service,
and checking the validity of an authentication identifiers from the pool
of authentication identifiers sent with the subsequent communication.

[0014]In another aspect of the present invention, there is provided
electronic signals for use in the execution in a computer of a method for
securing communication between an client application and a network
server. The method comprises steps of providing the client application a
pool of authentication identifiers for use in subsequent communication
with the network service, and checking the validity of an authentication
identifiers from the pool of authentication identifiers sent with the
subsequent communication.

[0015]In another aspect of the present invention, there is provided a
computer program product for use in the execution in a computer of a
method for securing communication between an client application and a
network server. The computer program product comprises an authentication
identifier provider for providing the client application a pool of
authentication identifiers for use in subsequent communication with the
network service, and an authentication identifier validator for checking
the validity of an authentication identifiers from the pool of
authentication identifiers sent with the subsequent communication.

[0016]Other aspects and features of the present invention will be readily
apparent to those skilled in the art from a review of the following
detailed description of preferred embodiments in conjunction with the
accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0017]The invention will be further understood from the following
description with reference to the drawings in which:

[0018]FIG. 1 shows an example of a secure communication module in
accordance with an embodiment of the present invention;

[0019]FIG. 2 is a flowchart showing a method for providing a pool of
authentication identifiers in accordance with an embodiment of the
present invention;

[0020]FIG. 3 is a flowchart showing a method for using a pool of
authentication identifiers in accordance with an embodiment of the
present invention;

[0021]FIG. 4 shows another example of a secure communication module, in an
example of a secure communication environment, in accordance with an
embodiment of the present invention;

[0022]FIG. 5 shows a sequence of events to log into and make web service
calls in accordance with an embodiment of the invention; and

[0023]FIG. 6 is a flowchart showing another method for providing a pool of
authentication identifiers in accordance with an embodiment of the
present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0024]This description contains references to login and logon procedures.
The embodiments of the inventions described in this specification apply
to both login and logon procedures. A login reference is intended to
include a logon reference and vice versa.

[0025]FIG. 1 shows a secure communication module 100 in accordance with an
embodiment of the present invention. An aspect of the secure
communication module 100 relates to the use of a pool of authentication
IDs during network communication. The pool of authentication IDs contains
a plurality of authentication IDs. The secure communication module 100
comprises an authentication identifier (ID) provider 101 and an
authentication ID validator 102. The authentication ID provider 101
assigns a pool of authentication IDs to a client application when the
client application logs onto a network service such as a web service. The
authentication ID validator 102 authenticates authentication IDs. The
authentication IDs may be passed as parameters during network
communication, as will be described below. The authentication ID provider
101 and the authentication ID validator 102 may comprise software code or
code embedded in hardware. Other components may be added to the secure
communication module 100, including a communication module for receiving
and sending communication.

[0026]The user of a client application logs onto a network service by
sending client application credentials, typically a user name and
password, over a secured channel as described above. In return, the
client application receives a group or pool of authentication IDs. The
pool of authentication IDs returned is secure since the pool is sent back
over the secured channel. The exact number of IDs returned may vary
depending on the system administration requirements for the network
service 21. Once the client application has this pool of authentication
IDs, the client application may use a different authentication ID with
each successive method call to the network service 21. The authentication
ID that is used expires upon use so that it can not be reused. This means
that even if an eavesdropper is able to compromise an authentication ID,
the eavesdropper will not be able to use it since it can only be used
once.

[0027]After the client application has used up all the authentication IDs
in the pool that was given, the client application may log on again to
receive another pool of authentication IDs. No one other than the client
application is able to use the authentication IDs since the
authentication IDs are always given to the client application over a
secured channel and they expire upon use. Each authentication ID is not
compromised during or after its use over an unsecured channel because an
unauthorized person who manages to capture an authentication ID over an
unsecured channel only receives an expired authentication ID.

[0028]Further security features may be added to the pool of authentication
IDs. For example, unused authentication IDs in a pool of authentication
IDs can be set to expire after a preset event such as the expiry of a
period of time.

[0029]FIG. 2 shows a method for providing a pool of authentication IDs
(200) for use in network communication. The method begins with the secure
communication module 100 receiving a request for a pool of authentication
IDs (201) over a secured channel. Typically, the request will come from a
user using a client application 15. The authentication ID provider 101
creates and assigns a pool of authentication IDs (202). The
authentication IDs may be passed as parameters by the client application
during network communication. The authentication IDs may be created and
assigned by code in the authentication ID provider 101. The client
application is sent the pool of authentication. IDs (203) over a secured
channel and the method is done (204). The client application may now use
the authentication IDs.

[0030]FIG. 3 shows a method for using a pool of authentication IDs. During
subsequent network communication over an unsecured channel such as http,
an authentication ID from the pool of authentication IDs is sent as a
parameter in the communication. The authentication ID is received by the
secure communication module 100 (301) and passed to the authentication ID
validator 102. If the authentication ID is not valid (302), then the
communication is not allowed to proceed and the method is done (305). If
the authentication ID is valid (302), then the next step is to check
whether the client application (or user) is authorized to send the
communication (303). If the client application is not authorized (303),
then the communication is not allowed to proceed and the method is done
(305). If the client application is authorized (303), then the
communication is allowed to proceed (304) and the method is done (305).
Alternatively, an error message may be returned to the client application
when the communication is not allowed to proceed.

[0031]As described above, the authentication ID provider 102 may comprise
code which assigns a pool of authentication IDs to a client application
when the client application logs into a network service. These
authentication IDs are passed as parameters in network service calls. The
authentication ID validator 102 may comprise code to validate the
authentication ID. The authentication code may be implemented in a number
of ways. In an example of an embodiment of the present invention, a
working table mapping is created when the client application is
authenticated (i.e., client credentials are correct and the pool of
authentication IDs are returned). An authentication ID is checked every
time a network service is called, then deleted if the client application
logs off or the authentication ID expires. An alternative of using a
hashing system would require care to remain as secure.

[0032]Another aspect of an embodiment of the invention relates to the
authentication of a client to gain access to the web services that are
hosted by a remote server. Preferably, the secure communication module
100 is independent from the platforms on which web services are hosted.
Furthermore, the secure communication module 100 is preferably
independent from the protocol used to access those web services.

[0033]FIG. 4 shows another example of a secure communication module 400 in
an example of a secure communication environment 450 in accordance with
an embodiment of the present invention. The secure communication module
400 comprises an authentication ID provider 101, an authentication ID
validator 102, an authentication module 403, an authorization module 404,
and an information repository 405. The authentication ID provider 101 and
the authentication ID validator 102 are similar to those described above.
The authentication module 403 and the authorization module 404
authenticate and authorize a client application 15 used by a user or
developer of network services such as web services. The authentication
typically takes place during a login procedure. The authentication module
403 and the authorization module 404 may comprise software code or code
embedded in hardware. The information repository 405 contains information
used to authenticate and authorize client applications 15, as well as
storing authentication ID allocations. The information repository 405 may
be a database. The authentication ID provider 101, authentication ID
validator 102, authentication module 403, and authorization module 404
are connected to the information repository 405 and may be accessed by an
external communication module.

[0034]Components may be added or removed from the secure communication
module 400. For example, a communication module 410 may be included to
receive and send communication with external client applications 15 or
network services 21. Furthermore, a billing module 411 may be added to
the secure communication module 400 to charge users using client
applications 15 and network service providers such web service providers
for the pool of authentication IDs and the use of the pool of
authentication IDs.

[0035]Client applications 15 may be charged based upon the size of the
pool of authentication IDs. Packages of authentication IDs may be
available for a client application 15 to order. For example, a client
application 15 may order a basic package of 100 authentication IDs, or a
premium package of 1000 authentication IDs. Other sizes of packages may
be preset. A client application 15 may also be prompted by the
authentication ID provider to enter the number of authentication IDs in
the pool of authentication IDs.

[0036]Alternatively, the billing module may charge based upon use of an
authentication ID. In such a scenario, a metering module 412 is added to
the secure communication module 400 to track and record usage of the pool
of authentication IDs. The information collected by the metering module
412 is stored in the information repository.

[0037]The secure communication environment 450 comprises a client
application 15, the secure communication module 400, and a network
service 21. The client application 15 and the network service 21
communicate through the communication module 410. The communication
module 410 also communicates (not shown) with the components of the
secure communication module 400. Alternatively, the communication module
410 may be located remotely on another server.

[0038]FIG. 5 shows an example of a sequence of logging into a network
service such as a web service and using the pool of authentication IDs.
In FIG. 5, the sequences are listed as A, B, C1, R1, . . . , Cn, Rn,
where n is an integer greater than one. The step "A" represents a client
application 15 sending client application credentials, such as a user
name and password over a secured channel, such as hypertext transfer
protocol over secure socket layer (https). The step "B" represents the
server authenticating the client application 15 and returning a pool of n
authentication IDs over the secured channel. The steps "C1" to "Cn"
represent the client application 15 making up to n web service calls over
an unsecured channel using a different authentication ID from the pool of
n authentication IDs returned. Each authentication ID will expire upon
use. The steps "R1" to "Rn" represent the server validating the
authentication ID used and returning the result of the web service call
to the client application 15. There is no step R, i.e., no response, if a
web service call does not require a response.

[0039]FIG. 6 shows a method for providing a pool of authentication IDs
(600) for use in network communication. The method begins with the secure
communication module 400 receiving a request for a pool of authentication
IDs from a client application 15 requesting the use of a network service,
such as a web service. Specifically, the secure communication module 400
receives client application credentials over a secured channel (601). The
client application credentials are passed to the authentication module
403 to authenticate the client application 15 (602). The authentication
module 403 may reference the information repository 405 when
authenticating the client application 15. If the client application 15 is
not authentic (602), i.e., the client application credentials are
incorrect, then the request is rejected (605). If the client application
15 is authentic (602), then the request is passed to the authentication
ID provider 101. The authentication ID provider 101 creates and assigns a
pool of authentication IDs and sends the pool of authentication IDs to
the client application 15 (603) over a secured channel. The pool of
authentication IDs may be parameters passed as parameters by the client
application 15 when invoking method calls of the requested network
service 21. The authentication IDs may be created and assigned by code in
the authentication ID provider 101. Alternatively, a bank of
authentication IDs may be stored in the information repository 405 to be
assigned by the authentication. ID provider 101. The client application
15 is sent the pool of authentication IDs (604) and the method is done
(606). The client application 15 may now use the pool of authentication
IDs. Other steps may be added to the method (600), such as billing users
using client applications 15 or network service providers, such as web
service providers, for the authentication IDs or the use of
authentication IDs. As described above, client applications 15 may be
billed based upon the amount of authentication IDs in the pool of
authentication IDs. Furthermore, the usage of the authentication IDs may
be tracked and metered for billing client applications 15 on a per use
basis.

[0040]The assignment of the pool of authentication IDs may be registered
in the information repository 405. Alternatively, the assignment of the
pool of authentication IDs may be registered with the authentication ID
validator 102. The registration of the pool of authentication IDs may be
in the form of a file containing the assigned pool of authentication IDs,
their status, such as used and not used, and client application
credentials information, such as the user name and password. Other
information may be added to the registration file as desired. The
registration file may be referenced by the authentication ID validator
102 when the client application 15 uses each authentication ID.

[0041]The pool of authentication IDs is valuable to the client application
15 by providing extra security to prevent misuse of the web service for
which the client application 15 is paying. It is also good for the
network services provider or host, such as a web services provider, since
network services access will be more secure which may be a requirement to
gain contracts with certain clients.

[0042]Either secure communication module 100 or 400 according to the
present invention may be implemented by any hardware, software or a
combination of hardware and software having the above described
functions. The software code, either in its entirety or a part thereof,
may be stored in a computer readable memory. Further, a computer data
signal representing the software code which may be embedded in a carrier
wave may be transmitted via a communication network. Such a computer
readable memory and a computer data signal are also within the scope of
the present invention, as well as the hardware, software and the
combination thereof.

[0043]While particular embodiments of the present invention have been
shown and described, changes and modifications may be made to such
embodiments without departing from the true scope of the invention.